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Amendments to the Claims: 
This listing of claims replaces all prior versions and listings of claims in the application: 

Listing of Claims: 

1 . (Currently Amended) A computer-readable medium included in a storage device and 
having embodied thereon a computer program configured to determine whether a user is 
permitted to access a business object when executing a software application of an enterprise 
information technology system, the medium storing comprising one or more code segments 
configured to: 

use a permission object to determine whether a user associated with an entry in user 
information is permitted to access at least part of a data object associated with a data object type, 
wherein: 

the entry in the user information associates the user with a user affiliation, 
the permission object identifies: 

a user affiliation to which the permission object applies, 

a data object type to which the permission object applies such that the data object 
type identified by the permission object is associated with multiple attributes and each 
data object having the data object type identified by the permission object is associated 
with the multiple attributes, 

a permission attribute identifying at least one of the multiple attributes, 

a permission value for the permission attribute, and 

an attribute access group having one or more attributes of the multiple attributes 
associated with the data object type identified by the permission object , 

an attribut e valu e group having on e or mor e valu e s associated with th e on e or 
mor e attribut e s in the attribut e acc e ss group, and 

wherein upon determination that (1) the user affiliation that is associated with the user is 
the same user affiliation as the user affiliation to which the permission object applies, (2) the data 
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object type of the data object is the same data obj e ct typo as the data object type to which the 
permission object applies, (3) a value of an attribute of the multiple attributes associated with the 
data object is consistent with the permission value of the permission attribute and the attribute 
corresponds to the permission attribute, and (4) at least one attribute of the data object that the 
user seeks to access corresponds to an attribute of the attribute access group of the permission 
obj ect , and (5) a valu e of an attribute of on e of th e multipl e attributes associated with th e data 
object is consistent with th e value of th e attribute of the attribute valu e group, the user is 
permitted to access the attribute sought to be accessed , and wherein otherwise the user is denied 
access to the attribute sought to be accessed and not p e rmitt e d to acc es s any oth e r of th e multipl e 
attribut e s not corresponding to the attribut e of the attribut e acce ss group , 

2. (Currently Amended) The medium of claim 1 wherein the one or more code segments 
are further configured to permit the user to access at least part of the data object when the value 
of the attribute of one of the multiple attributes associated with the data object is the same as the 
permission value of the permission attribute. 

3. (Currently Amended) The medium of claim 1 wherein the one or more code segments 
are further configured to permit the user to access at least part of the data object when the value 
of the attribute of one of the multiple attributes associated with the data object is [[the]] within a 
range specified by the permission value of the permission attribute. 

4. (Currently Amended) The medium of claim 1 wherein the one or more code segments 
are further configured to permit the user to access at least part of the data object when the value 
of the attribute of one of t he multiple attributes associated with the data object is one of 
enumerated values specified by the permission value of the permission attribute. 



5-6. (Canceled) 
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7. (Previously Presented) The medium of claim 1 wherein: 
the permission object identifies a permitted action, and 

the one or more code segments are further configured to permit the user to access at least 
part of the data object and perform an action on the data object when the action is consistent with 
the permitted action identified in the permission object. 

8. (Currently Amended) A method for determining whether a user is permitted to access 
a business object when executing a software application of an enterprise information technology 
system, the method comprising: 

using a permission object to determine whether a user associated with an entry in user 
information is permitted to access at least part of a data object associated with a data object type, 
wherein: 

the entry in the user information associates the user with a user affiliation, 
the permission object identifies: 

a user affiliation to which the permission object applies, 

a data object type to which the permission object applies such that the data object 
type identified by the permission object is associated with multiple attributes and each 
data object having the data object type identified by the permission object is associated 
with the multiple attributes, 

a permission attribute identifying at least one of the multiple attributes, 

a permission value for the permission attribute, and 

an attribute access group having one or more attributes of the multiple attributes 
associated with the data object type identified by the permission object , 

an attribut e valu e group having on e or mor e valu e s associat e d with the on e or 
mor e attribut e s in the attribute access group, and 

wherein upon determination that (1) the user affiliation that is associated with the user is 
the same user affiliation as the user affiliation to which the permission object applies, (2) the data 
object type of the data object is the same data object typo as the data object type to which the 
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permission object applies, (3) a value of an attribute of the multiple attributes associated with the 
data object is consistent with the permission value of the permission attribute and the attribute 
corresponds to the permission attribute, and (4) at least one attribute of the data object that the 
user seeks to access corresponds to an attribute of the attribute access group of the permission 
obj ect , and (5) a valu e of an attribute of one of th e multipl e attribut e s associated with the data 
obj e ct is consist e nt with th e valu e of th e attribute of th e attribute valu e group, the user is 
permitted to access the attribute sought to be accessed , and wherein otherwise the user is denied 
access to the attribute sought to be accessed and not permitted to access any oth e r of th e multipl e 
attribut e s not corr e sponding to th e attribute of the attribut e acc e ss group . 

9. (Currently Amended) The method of claim 8 further comprising permitting the user 
to access at least part of the data object when the value of the attribute of on e of the multiple 
attributes associated with the data object is the same as the permission value of the permission 
attribute. 

1 0. (Currently Amended) The method of claim 8 further comprising permitting the user 
to access at least part of the data object when the value of the attribute of on e of t he multiple 
attributes associated with the data object is [[the]] within a range specified by the permission 
value of the permission attribute. 

1 1 . (Currently Amended) The method of claim 8 further comprising permitting the user 
to access at least part of the data object when the value of the attribute of one of the multiple 
attributes associated with the data object is one of enumerated values specified by the permission 
value of the permission attribute. 



12. (Canceled) 
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13. (Currently Amended) A computer system for determining whether a user is 
permitted to access at least part of a data object when executing a software application of an 
enterprise information technology system, the system tangibly embodied and comprising: 

a processor; 

a storage device including a data repository for access control information for software 
having data objects, each data object (1 ) being associated with a data object type having multiple 
attributes, (2) having multipl e attributes that are the same as the multiple attributes of the data 
object type to which the data object is associated, and (3) having a value associated with each 
attribute of the multiple attributes, the data repository including: 

user information that associates a user affiliation with a user of the software 

application, and 

permission information having multiple permission objects, each permission 
object identifying a user affiliation to which the permission object applies, a data object 
type to which the permission object applies, a permission attribute identifying one of the 
multiple attributes, a permission value for the permission attribute, and an attribute access 
group having one or more attributes of the multiple attributes of associat e d with the data 
object type , and an attribut e value group having on e or mor e valu es associat e d with th e 
on e or more attribut e s in th e attribute acc ess group ; and 
an executable software module executed by the processor that causes: 

a comparison of a value of an attribute of the multiple attributes of associat e d with 
a data object to which a user seeks [[to]] access such that the attribute of the multiple 
attributes corresponds to the permission attribute of a permission object with the 
permission value of the permission object, 

a comparison of at least one attribute of the data object that the user seeks to 
access such that the attribut e sought to be accessed corresponds to an attribute of the 
attribute access group of the permission object, 
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a comparison of a valu e of an attribute of on e of th e multipl e attributes associat e d 
with the data obj e ct s uch that th e valu e is consi s tent with the valu e of th e attribute of tho 
attribute valu e group, and 

an indication that a user is permitted to access the attribute sought to be accessed 
and not p e rmitted to acc e ss any oth e r of the multipl e attribut e s not correspondi n g to th e 
attribute of th e attribute access group w hen (1) the value of the attribute o fassociatcd with 
the data object is consistent with the permission value of the permission object, and (2) at 
least one attribute of the data object that the user seeks to access corresponds to an 
attribute of the attribute access group of the permission object , and wherein otherwise the 
user is denied access to the attribute sought to be accessed , and (3) a valu e of an attribut e 
of on e of the multipl e attribut e s associated with th e data obj e ct is con s ist en t with th e 
valu e of tho attribute of th e attribute valu e group . 

14. (Currently Amended) The system of claim 13 wherein the executable software 
module causes an indication that a user is permitted to access the attribute sought to be accessed 
at least part of the data object w hen the value of the attribute of on e of th e multipl e attribut e s 
associated with the data object is the same as the permission value of the permission attribute. 

15. (Currently Amended) The system of claim 13 wherein the executable software 
module causes an indication that a user is permitted to access the attribute sought to be accessed 
at l e a s t part of th e data object when the value of the attribute of one of the multipl e attribut e s 
associat e d with the data object is [[the]] within a range specified by the permission value of the 
permission attribute. 



16. (Currently Amended) The system of claim 13 wherein the executable software 
module causes an indication that a user is permitted to access the attribute sought to be accessed 
at l e ast part of th e data obj e ct when the value of the attribute of one of th e multipl e attributes 
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associat e d with the data object is one of enumerated values specified by the permission value of 
the permission attribute. 

17-18. (Canceled) 

19. (Currently Amended) The system of claim 13 wherein: 
the permission object identifies a permitted action, and 

the executable software module causes an indication that a user is permitted to access the 
attribute sought to be accessed at least part of tho data obj e ct and perform an action on the 
attribute sought to be accessed data obj e ct when the action is consistent with the permitted action 
identified in the permission object. 

20. (Previously Presented) The medium of claim 1 wherein: 
the permission object identifies a permitted action, and 

the one or more code segments are further configured to permit the user to access the at 
least part of data object and perform one or more database operations on the data object when the 
action is consistent with the permitted action identified in the permission object, where the 
database operations comprise create, read, update and delete. 



